The real cyber security risk to lawyers

Not updating your mobile devices and hardware has the potential to expose confidential client information, writes David Rudduck.

Would you like your bank account emptied? I didn’t think so. Well, just like running old and outdated computers in your business (can anyone say Windows XP?), running an old and outdated mobile phone could be just as risky – if not worse!

If you use your mobile phone simply to make telephone calls and never, ever use it to browse the internet, read emails or send and receive text messages, then this article is irrelevant to you.

For those of you left (which I’d hazard is the vast majority), if you ever use [any of these platforms on your phone], and your phone is a few years old, you could be an easy mark for organised criminals looking to make your data theirs.

Security researchers have reported a significant increase in malware targeting old and outdated mobile phones. The malware sits silently in the background, recording all your account logins, passwords and PINs – including those of your online banking!

The malware is delivered a number of ways – from seemingly innocuous website advertising (which just happens to have specially crafted malicious code embedded in it), which infects your device simply by visiting a ‘safe’ website, to something as simple and innocent as a text message.

You see, the problem is that while we live in a society of consumerism, some of us don’t rush out to buy the latest technology. Many would argue this is a good thing. You’re not being caught in the trap of spending money for the sake of spending, but sadly this may also be putting you and your clients at risk.

Manufacturers that use Google Android on their phones, like Samsung, HTC, Sony, Motorola and LG, will typically stop providing software and security updates to their handsets after about two years as they turn their focus to their new phones.

A similar philosophy is shared with Apple’s phones. After a certain period of time, the latest version of Apple’s mobile software is no longer made available to older handsets.

The issue here is that while the phone (or tablet) may still be usable, the device is not getting patched against bugs and security risks that have been discovered – leaving the user open to attack.

And because organised criminals are entrepreneurial, they’ve worked out that many of us are still using outdated technology that has many openly published bugs they can leverage to their advantage.

As I said above, something as simple as a specially crafted SMS can be sent to many older Android mobile devices to infect them with malware and ‘rootkits’. You wouldn’t even know if you’d been hit, until of course your bank rang you to tell you you’d had your accounts drained.

Or take for example the fact that the crims have worked out how to leverage internet advertising systems to infect your computers. How many times have IT professionals banged on about not visiting unsafe websites on your work devices? I’ve lost my voice over it!

Well, forget all that. You can actually be infected just by visiting news.com.au if one of the advertising partners has inadvertently let a malicious actor run an advertising campaign that has some special code in it to infect people who see their advertising. You don't even need to click it any more!

Just like phasing out Windows XP and Windows Server 2003 a few years back, you need to budget towards the replacement of your mobile devices every few years and you need to make sure you keep the software up to date – regularly checking and installing software updates.

If you run Android, install an anti-virus program. Sophos and Webroot offer excellent protection.

Consider a password management system like LastPass or 1Password. When used correctly, it will ensure every website you visit has a super-complex password, and you’ll only need to remember a single password for your password wallet, which can be accessed on your computer and mobile devices.

And if you want ultimate protection, implement multi-factor authentication. RSA tokens for banking institutions mean that no matter whether your account details are compromised, without that rotating six-digit number, no one is getting into your account or transferring your funds elsewhere.

You can likewise use services like Google Authenticator to provide two-factor authentication (2FA) for Facebook, Google, emails and many other web services.

In summary, remember to update your digital devices. While using outdated platforms can create annoyance for some, it actually has the potential to impact you as a lawyer, and your clients, on an astronomical scale.

Lawyers Weekly is the leading authoritative source of independent news, analysis and opinion about the business of law in Australia. It includes expert opinion pieces, analysis of the issues impacting on the business of firms, broader geographic coverage of events and issues, regular technology reports as well as regular training & education reports.